Technologies for trusted i/o with a channel identifier filter and processor-based cryptographic engine

ABSTRACT

Technologies for trusted I/O include a computing device having a processor, a channel identifier filter, and an I/O controller. The I/O controller may generate an I/O transaction that includes a channel identifier and a memory address. The channel identifier filter verifies that the memory address of the I/O transaction is within a processor reserved memory region associated with the channel identifier. The processor reserved memory region is not accessible to software executed by the computing device. The processor encrypts I/O data at the memory address in response to invocation of a processor feature and copies the encrypted data to a memory buffer outside of the processor reserved memory region. The processor may securely clean the processor reserved memory region before encrypting and copying the data. The processor may wrap and unwrap programming information for the channel identifier filter. Other embodiments are described and claimed.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation application of U.S. application Ser.No. 15/628,008, entitled “TECHNOLOGIES FOR TRUSTED I/O WITH A CHANNELIDENTIFIER FILTER AND PROCESSOR-BASED CRYPTOGRAPHIC ENGINE,” which wasfiled on Jun. 20, 2017, and which claims the benefit of U.S. ProvisionalPatent Application Nos. 62/352,356 and 62/352,357, which were both filedJun. 20, 2016.

BACKGROUND

Current processors may provide support for a trusted executionenvironment such as a secure enclave. Secure enclaves include segmentsof memory (including code and/or data) protected by the processor fromunauthorized access including unauthorized reads and writes. Inparticular, certain processors may include Intel® Software GuardExtensions (SGX) to provide secure enclave support. In particular, SGXprovides confidentiality, integrity, and replay-protection to the secureenclave data while the data is resident in the platform memory and thusprovides protection against both software and hardware attacks. Theon-chip boundary forms a natural security boundary, where data and codemay be stored in plaintext and assumed to be secure. Intel® SGX does notprotect I/O data that moves across the on-chip boundary.

Trusted I/O (TIO) technology enables an application to send and/orreceive I/O data securely to/from a device. In addition to the hardwarethat produces or consumes the I/O data, several software and firmwarecomponents in the I/O pipeline might also process the data. HCTIO(Hardware Cryptography-based Trusted I/O) is a technology that providescryptographic protection of DMA data via an inline Crypto Engine (CE) inthe system-on-a-chip (SoC). Channel ID, an identifier, uniquelyidentifies a DMA channel on the platform, and the CE filters DMA trafficand encrypts select I/O transactions upon a match with the Channel IDprogrammed in the CE.

BRIEF DESCRIPTION OF THE DRAWINGS

The concepts described herein are illustrated by way of example and notby way of limitation in the accompanying figures. For simplicity andclarity of illustration, elements illustrated in the figures are notnecessarily drawn to scale. Where considered appropriate, referencelabels have been repeated among the figures to indicate corresponding oranalogous elements.

FIG. 1 is a simplified block diagram of at least one embodiment of acomputing device for an instruction set architecture for trusted I/O;

FIG. 2 is a simplified block diagram of at least one embodiment of anenvironment of the computing device of FIG. 1;

FIG. 3 is a simplified block diagram of at least one embodiment of asystem I/O stack that may be established by the computing device ofFIGS. 1 and 2;

FIG. 4 is a simplified flow diagram of at least one embodiment of amethod for protecting I/O data that may be executed by the computingdevice of FIGS. 1-3;

FIGS. 5A and 5B are a simplified flow diagram of at least one embodimentof a method for programming a trusted I/O channel that may be executedby the computing device of FIGS. 1-3;

FIGS. 6A and 6B are a simplified flow diagram of at least one embodimentof a method for protecting I/O data that may be executed by thecomputing device of FIGS. 1-3; and

FIG. 7 is a schematic diagram illustrating at least one embodiment of amemory layout that may be established by the computing device of FIGS.1-3.

DETAILED DESCRIPTION OF THE DRAWINGS

While the concepts of the present disclosure are susceptible to variousmodifications and alternative forms, specific embodiments thereof havebeen shown by way of example in the drawings and will be describedherein in detail. It should be understood, however, that there is nointent to limit the concepts of the present disclosure to the particularforms disclosed, but on the contrary, the intention is to cover allmodifications, equivalents, and alternatives consistent with the presentdisclosure and the appended claims.

References in the specification to “one embodiment,” “an embodiment,”“an illustrative embodiment,” etc., indicate that the embodimentdescribed may include a particular feature, structure, orcharacteristic, but every embodiment may or may not necessarily includethat particular feature, structure, or characteristic. Moreover, suchphrases are not necessarily referring to the same embodiment. Further,when a particular feature, structure, or characteristic is described inconnection with an embodiment, it is submitted that it is within theknowledge of one skilled in the art to effect such feature, structure,or characteristic in connection with other embodiments whether or notexplicitly described. Additionally, it should be appreciated that itemsincluded in a list in the form of “at least one A, B, and C” can mean(A); (B); (C); (A and B); (A and C); (B and C); or (A, B, and C).Similarly, items listed in the form of “at least one of A, B, or C” canmean (A); (B); (C); (A and B); (A and C); (B and C); or (A, B, and C).

The disclosed embodiments may be implemented, in some cases, inhardware, firmware, software, or any combination thereof. The disclosedembodiments may also be implemented as instructions carried by or storedon a transitory or non-transitory machine-readable (e.g.,computer-readable) storage medium, which may be read and executed by oneor more processors. A machine-readable storage medium may be embodied asany storage device, mechanism, or other physical structure for storingor transmitting information in a form readable by a machine (e.g., avolatile or non-volatile memory, a media disc, or other media device).

In the drawings, some structural or method features may be shown inspecific arrangements and/or orderings. However, it should beappreciated that such specific arrangements and/or orderings may not berequired. Rather, in some embodiments, such features may be arranged ina different manner and/or order than shown in the illustrative figures.Additionally, the inclusion of a structural or method feature in aparticular figure is not meant to imply that such feature is required inall embodiments and, in some embodiments, may not be included or may becombined with other features.

Referring now to FIG. 1, an illustrative computing device 100 for aninstruction set architecture for trusted I/O is shown. In use, asdescribed below, the computing device 100 includes processor-basedcryptographic engine and inline channel identifier (CID) filterhardware. The computing device 100 establishes a trusted I/O (TIO)processor reserved memory (PRM) region that is inaccessible to software.The processor provides instruction set architecture (ISA) support toallow unprivileged software (e.g., one or more secure enclaves) to bindand wrap channel programming information to the cryptographic engine andthe CID filter. The processor ISA support allows privileged software tosecurely unwrap the programming information to program the CID filterand the cryptographic engine. After programming, the processor ISAsupport allows the privileged software to securely clean the TIO PRMregion of memory to prevent data leaks. After programming, the processorISA support allows the privileged software to copy and encrypt plaintextI/O data from the TIO PRM region into ordinary kernel and/or user memorybuffers without software access to the plaintext I/O data. Thus, thecomputing device 100 allows for secure programming of the DMA channelsthat allows untrusted ring-0 software to be in control of the channelsthat are programmed while still maintaining confidentiality andintegrity. Additionally, the computing device 100 allows for secure datamovement from the TIO PRM to kernel and user memory buffers, with theplaintext data inaccessible to potentially untrusted system software.

The computing device 100 may be embodied as any type of device capableof performing the functions described herein. For example, the computingdevice 100 may be embodied as, without limitation, a computer, a laptopcomputer, a tablet computer, a notebook computer, a mobile computingdevice, a smartphone, a wearable computing device, a multiprocessorsystem, a server, a workstation, and/or a consumer electronic device. Asshown in FIG. 1, the illustrative computing device 100 includes aprocessor 120, an I/O subsystem 128, a memory 130, a data storage device132, a CID filter 136, and one or more I/O controllers 138.Additionally, in some embodiments, one or more of the illustrativecomponents may be incorporated in, or otherwise form a portion of,another component. For example, the memory 130, or portions thereof, maybe incorporated in the processor 120 in some embodiments.

The processor 120 may be embodied as any type of processor capable ofperforming the functions described herein. For example, the processor120 may be embodied as a single or multi-core processor(s), digitalsignal processor, microcontroller, or other processor orprocessing/controlling circuit. As shown, the processor 120illustratively includes secure enclave support 122, a cryptographicengine 124, and a cryptographic engine instruction set architecture(ISA) 126. The secure enclave support 122 allows the processor 120 toestablish a trusted execution environment known as a secure enclave, inwhich executing code may be measured, verified, and/or otherwisedetermined to be authentic. Additionally, code and data included in thesecure enclave may be encrypted or otherwise protected from beingaccessed by code executing outside of the secure enclave. For example,code and data included in the secure enclave may be protected byhardware protection mechanisms of the processor 120 while being executedor while being stored in certain protected cache memory of the processor120. The code and data included in the secure enclave may be encryptedwhen stored in a shared cache or the main memory 130. The secure enclavesupport 122 may be embodied as a set of processor instruction extensionsthat allows the processor 120 to establish one or more secure enclavesin the memory 130. For example, the secure enclave support 122 may beembodied as Intel® Software Guard Extensions (SGX) technology.

The cryptographic engine 124 may be embodied as one or more hardwarefunctional blocks (IP blocks), microcode, or other resources of theprocessor 120 that allows the processor 120 to perform trusted I/O (TIO)functions. For example, as described further below, the cryptographicengine 124 may perform TIO functions such as encrypting and/ordecrypting DMA I/O data input from and/or output to one or more I/Odevices 142. In particular, as described further below, in someembodiments, plaintext I/O data may be stored in a TIO ProcessorReserved Memory (TIO PRM) region that is not accessible to software ofthe computing device 100, and the cryptographic engine 124 may be usedto encrypt the plaintext DMA I/O data and copy the encrypted data to anordinary kernel I/O buffer. The processor 120 may also include one ormore range registers or other features to protect the TIO PRM fromunauthorized access.

The cryptographic engine ISA 126 may be embodied as one or moreprocessor instructions, model-specific registers, or other processorfeatures that allows software executed by the processor 120 to securelyprogram and otherwise use the cryptographic engine 124 and acorresponding CID filter 136, described further below. For example, asdescribed further below, the cryptographic engine ISA 126 may includeprocessor features to bind programming instructions to the cryptographicengine 124 and/or the CID filter 136, unwrap bound programminginstructions, securely clean the TIO PRM region of the memory 130,and/or securely copy and encrypt data from the TIO PRM region to akernel I/O buffer.

The memory 130 may be embodied as any type of volatile or non-volatilememory or data storage capable of performing the functions describedherein. In operation, the memory 130 may store various data and softwareused during operation of the computing device 100 such as operatingsystems, applications, programs, libraries, and drivers. As describedfurther below, the memory 130 may also include the TIO PRM region. Thememory 130 is communicatively coupled to the processor 120 via the I/Osubsystem 128, which may be embodied as circuitry and/or components tofacilitate input/output operations with the processor 120, the memory130, and other components of the computing device 100. For example, theI/O subsystem 128 may be embodied as, or otherwise include, memorycontroller hubs, input/output control hubs, sensor hubs, hostcontrollers, firmware devices, communication links (i.e., point-to-pointlinks, bus links, wires, cables, light guides, printed circuit boardtraces, etc.) and/or other components and subsystems to facilitate theinput/output operations. In some embodiments, the memory 130 may bedirectly coupled to the processor 120, for example via an integratedmemory controller hub. The I/O subsystem 128 may further include securerouting support, which may include hardware support to ensure I/O datacannot be misrouted in the I/O subsystem 128 under the influence ofrogue software. The secure routing support may be used with the CIDfilter 136 to provide cryptographic protection of I/O data.Additionally, in some embodiments, the I/O subsystem 128 may form aportion of a system-on-a-chip (SoC) and be incorporated, along with theprocessor 120, the memory 130, and other components of the computingdevice 100, on a single integrated circuit chip. Additionally oralternatively, in some embodiments the processor 120 may include anintegrated memory controller and a system agent, which may be embodiedas a logic block in which data traffic from processor cores and I/Odevices converges before being sent to the memory 130.

The data storage device 132 may be embodied as any type of device ordevices configured for short-term or long-term storage of data such as,for example, memory devices and circuits, memory cards, hard diskdrives, solid-state drives, non-volatile flash memory, or other datastorage devices. The computing device 100 may also include acommunications subsystem 134, which may be embodied as any communicationcircuit, device, or collection thereof, capable of enablingcommunications between the computing device 100 and other remote devicesover a computer network (not shown). The communications subsystem 134may be configured to use any one or more communication technology (e.g.,wired or wireless communications) and associated protocols (e.g.,Ethernet, Bluetooth®, Wi-Fi®, WiMAX, 3G, 4G LTE, etc.) to effect suchcommunication.

The CID filter 136 may be embodied as any hardware component, functionalblock, logic, or other circuit that performs CID filtering function(s),including filtering I/O transactions based on CIDs inserted by the I/Ocontrollers 138. For example, the CID filter 136 may observe DMAtransactions inline, perform test(s) based on the CID and memory addressincluded in the transaction, and drop transactions that fail thetest(s). In the illustrative embodiment, the CID filter 136 is includedin an SoC with the processor 120 and I/O subsystem 128. In otherembodiments, the CID filter 136 may be incorporated in one or morecomponents such as the I/O subsystem 128.

Each of the I/O controllers 138 may be embodied as any embeddedcontroller, microcontroller, microprocessor, functional block, logic, orother circuit or collection of circuits capable of performing thefunctions described herein. In some embodiments, one or more of the I/Ocontrollers 138 may be embedded in another component of the computingdevice 100 such as the I/O subsystem 128 and/or the processor 120.Additionally or alternatively, one or more of the I/O controllers 138may be connected to the I/O subsystem 128 and/or the processor 120 viaan expansion bus such as PCI Express (PCIe) or other I/O connection. Asdescribed above, the I/O controllers 138 communicate with one or moreI/O devices 140, for example over a peripheral communications bus (e.g.,USB, Bluetooth, etc.). The I/O devices 140 may be embodied as any I/Odevice, such as human interface devices, keyboards, mice, touch screens,microphones, cameras, and other input devices, as well as displays andother output devices. As described above, the I/O controllers 138 andassociated DMA channels are uniquely identified using identifiers calledchannel identifiers (CIDs). Each I/O controller 138 may assert anappropriate CID with every DMA transaction, for example as part of atransaction layer packet (TLP) prefix, to uniquely identify the sourceof the DMA transaction and provide liveness protections. The CID alsoenables the isolation of I/O from different devices 140.

Referring now to FIG. 2, in an illustrative embodiment, the computingdevice 100 establishes an environment 200 during operation. Theillustrative environment 200 includes trusted I/O manager 202, a channelprogrammer 204, a processor reserved memory manager 206, a firmwareenvironment 208, a wrapping engine 210, an unwrapping engine 212, acleaning engine 214, and a copy/encrypt engine 216. The variouscomponents of the environment 200 may be embodied as hardware, firmware,software, or a combination thereof. As such, in some embodiments, one ormore of the components of the environment 200 may be embodied ascircuitry or collection of electrical devices (e.g., trusted I/O managercircuitry 202, channel programmer circuitry 204, processor reservedmemory manager circuitry 206, firmware environment circuitry 208,wrapping engine circuitry 210, unwrapping engine circuitry 212, cleaningengine circuitry 214, and/or copy/encrypt engine circuitry 216). Itshould be appreciated that, in such embodiments, one or more of thetrusted I/O manager circuitry 202, the channel programmer circuitry 204,the processor reserved memory manager circuitry 206, the firmwareenvironment circuitry 208, the wrapping engine circuitry 210, theunwrapping engine circuitry 212, the cleaning engine circuitry 214,and/or the copy/encrypt engine circuitry 216 may form a portion of theprocessor 120, the I/O subsystem 128, the CID filter 136, and/or othercomponents of the computing device 100. In particular, as shown in FIG.2, the wrapping engine 210, the unwrapping engine 212, the cleaningengine 214, the copy/encrypt engine 216 may be embodied as digitallogic, microcode, or other resources of the processor 120. Additionally,in some embodiments, one or more of the illustrative components may forma portion of another component and/or one or more of the illustrativecomponents may be independent of one another.

The firmware environment 208 is configured to assign a trusted I/O (TIO)processor reserved memory (PRM) region in the memory 130. As describedfurther below, the TIO PRM region may include processor reserved memoryregions that are each associated with a particular channel identifier.The processor 120 is configured to prevent access by software components(unprivileged or privileged) to the TIO PRM region.

The channel programmer 204 is configured to generate, by an unprivilegedsoftware component, programming information for the CID filter 136. Theprogramming information is indicative of, among other data, a channelidentifier and a channel key. The channel programmer 204 is furtherconfigured to invoke, by the unprivileged software component, anunprivileged processor instruction with the programming information as aparameter. The unprivileged processor may be embodied as an EBINDinstruction. In some embodiments, the processor 120 may establish asecure enclave with the secure enclave support 122, and the secureenclave may include the unprivileged software component.

The wrapping engine 210 is configured to generate, by the processor 120,wrapped programming information based on the programming information inresponse to invocation of the unprivileged processor instruction (i.e.,the EBIND instruction). The wrapped programming information includes anencrypted channel key and is indicative of a processor reserved memoryregion that is associated with the channel identifier of the programminginformation.

The channel programmer 204 is further configured to provide, by theunprivileged software component, the wrapped programming information toa privileged software component. The privileged software component maybe embodied as, for example, a kernel mode driver of the computingdevice 100. The processor 120 is further configured to prevent theprivileged software component from accessing the processor reservedmemory region associated with the channel identifier. The channelprogrammer 204 is further configured to invoke, by the privilegedsoftware component, a privileged processor feature with the wrappedprogramming information as a parameter. The privileged processor featuremay be embodied as a TIO_UNWRAP instruction of the processor 120. Thechannel programmer 204 may be further configured to verify, by theprivileged software component, the wrapped programming information andto invoke the privileged processor feature in response to verificationof the wrapped programming information. The channel programmer 204 maybe further configured to read, by the privileged software component, acryptographic response from the processor 120 in response to invocationof the privileged processor feature.

The unwrapping engine 212 is configured to program, by the processor120, the CID filter 136 with the channel identifier and a memory rangeof the processor reserved memory region associated with the channelidentifier in response to invocation of the privileged processor feature(i.e., the TIO_UNWRAP instruction).

The processor reserved memory manager 206 is configured to invoke, bythe privileged software component, a privileged processor feature withthe memory range of the processor reserved memory region associated withthe channel identifier as a parameter. The privileged processor featuremay be embodied as a TIO_PRM_CLEANUP instruction of the processor. Thecleaning engine 214 is configured to securely clear, by the processor120, the memory range of the processor reserved memory region inresponse to invocation of the privileged processor feature (i.e., theTIO_PRM_CLEANUP instruction).

The trusted I/O manager 202 may be configured to intercept, by aprivileged software component, an I/O request that is indicative of aprivileged memory buffer. The privileged software component may beembodied as, for example, a kernel mode filter driver of the computingdevice 100. The trusted I/O manager 202 may be further configured toallocate, by the filter driver, a shadow memory buffer located at amemory address in the processor reserved memory region that isassociated with a channel identifier associated with the I/O request,and to generate, by the filter driver, a replacement I/O requestindicative of the memory address in response to allocating the shadowmemory buffer. An I/O controller 138 associated with the replacement I/Orequest may generate an I/O transaction in response to generation of thereplacement I/O request.

The CID filter 136 is configured to verify the I/O transaction. The I/Otransaction includes a channel identifier and the memory address of theshadow buffer. Verifying the I/O transaction may include verifying thatthe memory address is included in a processor reserved memory regionthat is associated with the channel identifier.

The trusted I/O manager 202 is further configured to invoke, by theprivileged software component of the computing device, a privilegedprocessor feature in response to verification of the I/O transaction bythe CID filter 136. The privileged processor feature may be embodied asa TIO_COPY_ENCRYPT instruction of the processor 120.

The copy/encrypt engine 216 is configured to encrypt, by the processor120, I/O data at the memory address in the shadow buffer with a channelkey to generate encrypted data in response to invocation of theprivileged processor feature (i.e., the TIO_COPY_ENCRYPT instruction).The copy/encrypt engine 216 is further configured to copy, by theprocessor 120, the encrypted data to the privileged memory bufferassociated with the original I/O request. The privileged memory bufferis located outside of the TIO PRM region. The copy/encrypt engine 216may be further configured to determine, by the processor 120, whetherthe processor reserved memory region associated with the channelidentifier has been securely cleared in response to invocation of theprivileged processor feature. The I/O data may be encrypted and copiedonly if the processor reserved memory region has been securely cleared.The copy/encrypt engine 216 may be further configured to indicate, bythe processor 120, an error condition in response to determining thatthe processor reserved memory region has not been securely cleared.

The trusted I/O manager 202 may be further configured to copy, by theprivileged software component, the encrypted data from the privilegedmemory buffer to an unprivileged memory buffer. For example, theencyrypted data may be passed through a system I/O stack to theunprivileged memory buffer. The trusted I/O manager 202 may be furtherconfigured to decrypt, by an unprivileged software component, theencrypted data in the unprivileged memory buffer in response to copyingthe encrypted data. The unprivileged software component may be embodiedas, for example, a secure enclave established with the secure enclavesupport 122 of the processor 120.

Referring now to FIG. 3, diagram 300 illustrates a system I/O stack thatmay be established by the computing device 100. As shown, the diagram300 includes hardware and software components, and the softwarecomponents are either kernel-mode (e.g., privileged or ring-0 code) oruser mode (e.g., unprivileged or ring-3 code). The unprivileged softwarecomponents include a crypto engine enclave (CEE) 302 and an applicationenclave 304. Each of the enclaves 302, 304 may be embodied as a secureenclave protected with the secure enclave support 122 of the processor120, and thus may be considered trusted components. The privilegedsoftware includes a CID filter device driver 306 and an I/O stack thatincludes a class driver 308, a filter driver 310, and a bus driver 312.Each of the drivers 306 through 312 may be embodied as kernel-modedrivers, loadable kernel modules, monolithic kernel code, or otherprivileged code. However, the drivers 306 through 312 may not beprotected with the secure enclave support 122 and thus may be considereduntrusted components from the perspective of the CEE 302 and/or theapplication enclave 304.

In use, as described further below in connection with FIGS. 5A and 5B,the CEE 302 communicates with the CID filter driver 306 to securelyprogram the crypto engine 124 of the processor 120 and the CID filter136 to perform trusted I/O over a DMA channel. The crypto engine 124 andthe CID filter 136 may be programmed with, for example, a channelidentifier, a channel encryption key, and a range in the TIO processorreserved memory (PRM) region associated with the channel identifier. Thechannel encryption key may be shared with the application enclave 304.As described further below in connection with FIGS. 6A and 6B, thefilter driver 310 intercepts an I/O request and replaces the memoryaddress of the I/O request with a shadow buffer in the TIO PRM rangeassociated with the channel identifier, and then invokes the processor120 to copy and encrypt the data from the shadow buffer to an ordinarykernel buffer. The encrypted data is passed through the I/O stack (e.g.,through the class driver 308) to the application enclave 304, which maydecrypt the data with the channel encryption key.

Although illustrated with a particular structure in FIG. 3, it should beunderstood that in some embodiments, the computing device 100 may use adifferent driver and/or enclave structure. For example, in someembodiments, one or more privileged software components such as the CIDfilter device driver 306 and the filter driver 310 may be combined intoa single privileged software component. As another example, in someembodiments, the operating system kernel may use a different drivermodel for I/O devices and thus may not divide functionality into a stackof class driver 308, filter driver 310, and bus driver 312. Similarly,in some embodiments, the non-privileged software components such as theCEE 302 and the application enclave 304 may be combined or otherwiseorganized in a different structure. However, as described further below,the cryptographic engine ISA 126 of the processor 120 may enforce theseparation of functions and responsibilities between privileged (e.g.,ring-0 or kernel) software components and unprivileged (e.g., ring-3 oruser) software components.

Referring now to FIG. 4, in use, the computing device 100 may execute amethod 400 for protecting I/O data. It should be appreciated that, insome embodiments, the operations of the method 400 may be performed byone or more components of the environment 200 of the computing device100 as shown in FIG. 2. The method 400 begins in block 402, in which theprocessor 120 of the computing device 100 reserves a trusted I/O (TIO)processor reserved memory (PRM) region in the memory 130. For example,one or more TIO PRM range registers may be set to define the TIO PRMrange in memory. Continuing that example, the processor 120 may includea TIO PRM base register and a TIO PRM size register, which togetherdefine the TIO PRM range. After reserving the TIO PRM range, theprocessor 120 may generate a page fault, exception, or other error inresponse to a software attempt to access the TIO PRM range. As anotherexample, in some embodiments the processor 120 may prevent access to theTIO PRM range without generating an error, for example by excluding theTIO PRM from a system memory map or other memory layout of the computingdevice 100. The TIO PRM region may be reserved by system firmware, asdescribed further below in connection with FIGS. 5A and 5B.

In block 404, the processor 120 of the computing device 100 securelyprograms the CID filter 136 with a channel identifier (CID) associatedwith a secure I/O channel and a range in the TIO PRM region associatedwith the CID, called a CID TIO PRM range. In response to beingprogrammed, the CID filter 136 may store the CID, the associated CID TIOPRM range, and/or other programming data in a content-addressable memory(CAM) table. The CID filter 136 may be securely programmed using one ormore instructions or other features of the processor 120. One embodimentof a method and instruction set architecture (ISA) for securelyprogramming the CID filter 136 is described below in connection withFIGS. 5A and 5B.

In block 406, an I/O controller 138 of the computing device 100generates an I/O transaction. The I/O transaction identifies a memoryaddress in the memory 130 as well as plaintext I/O data, which may bereceived from an I/O device 140. The I/O transaction may be embodied as,for example, a PCI DMA transaction. In some embodiments, in block 408the I/O controller 138 may add a CID to the I/O transaction. Forexample, the I/O controller 138 may add a CID to transactions thatoriginate from a TIO-capable I/O device 140. The CID may be included inthe I/O transaction, for example, in a TLP prefix of a PCI transaction.

In block 410, the CID filter 136 intercepts the I/O transaction anddetermines whether the I/O transaction includes a CID that has beenprogrammed to the CID filter 136. In block 412, the CID filter 136checks whether the I/O transaction includes a CID that has beenprogrammed. If not, the method 400 branches to block 414, in which theCID filter 136 allows the I/O transaction to write to the memory 130without performing any TIO-related security checks. Thus, the CID filter136 may allow unsecure channels (or I/O controllers 138 that do notsupport CIDs) to communicate unprotected I/O data with the memory 130.After allowing the I/O transaction, the method 400 loops back to block406 to continue generating and filtering I/O transactions. Referringback to block 412, if the I/O transaction includes a CID that has beenprogrammed, the method 400 advances to block 416.

In block 416, the CID filter 136 compares the address of the I/Otransaction to the CID TIO PRM range that has been programmed for theCID of the transaction. In particular, the CID filter 136 verifies thatthe CID has been programmed and that the address of the I/O transactionis within the CID TIO PRM range that was previously programmed. Forexample, the CID filter 136 may look up the CID in the CAM table andthen verify the associated address. In block 418, the CID filter 418checks whether the address is within the CID TIO PRM range. If not, themethod 400 branches to block 420, in which the CID filter 136 drops theI/O transaction, preventing the I/O data from being written to thememory 130. In some embodiments, the CID filter 136 may also generate anerror signal or other indication that the I/O transaction was dropped.After dropping the I/O transaction, the method 400 loops back to block406 to continue generating and filtering I/O transactions. Referringback to block 418, if the memory address is within the CID TIO PRMrange, the method 400 advances to block 422.

In block 422, the CID filter 136 allows the I/O transaction to write theplaintext I/O data to the memory address within the CID TIO PRM range.As described above, the TIO PRM is protected by the processor 120 fromaccess by software of the computing device 100. Thus, even though theI/O data is written to the memory 130 in plaintext, the I/O data isprotected from potential malicious software.

In block 424, the processor 120 copies and encrypts the I/O data fromthe CID TIO PRM to an ordinary memory buffer, which may be accessible byprivileged and/or unprivileged software of the computing device 100. Theprocessor 120 encrypts the I/O data with a channel key associated withthe CID of the I/O transaction. The encrypted I/O data may be decrypted,for example, by trusted software that possesses the appropriate channelkey. The I/O data may be securely copied and encrypted using one or moreinstructions or other processor features of the processor 120. Onepotential embodiment of a method and ISA for protecting I/O data isdescribed below in connection with FIGS. 6A and 6B.

Referring now to FIGS. 5A and 5B, in use, the computing device 100 mayexecute a method 500 for programming a TIO channel. It should beappreciated that, in some embodiments, the operations of the method 500may be performed by one or more components of the environment 200 of thecomputing device 100 as shown in FIG. 2. The method 500 begins in block502, in which system firmware of the computing device 100 assigns atrusted I/O (TIO) processor reserved memory (PRM) region in the memory130. In some embodiments, in block 504, the firmware of the computingdevice 100 may set one or more TIO PRM range registers to define the TIOPRM range in memory. For example, the processor 120 may include a TIOPRM base register and a TIO PRM size register, which together define theTIO PRM range. In block 506, the processor 120 locks down the TIO PRMrange to be inaccessible to software. For example, after being lockeddown, the processor 120 may generate a page fault, exception, or othererror in response to a software attempt to access the TIO PRM range. Asanother example, in some embodiments the processor 120 may preventaccess to the TIO PRM range without generating an error, for example byexcluding the TIO PRM from a system memory map or other memory layout ofthe computing device 100.

Because the TIO PRM is locked down by platform firmware (e.g., UEFIfirmware, ACPI firmware, BIOS, or other firmware), the platform firmwareexecuted between platform reset and the point that the TIO PRM iscleaned may be inside a TIO application's trusted code base (TCB). Thus,that part of the platform firmware may be integrity protected, forexample using Intel® Boot Guard technology.

As a security requirement to protect data confidentiality, for a given“memory cell” within the TIO PRM range, platform firmware has to eitherkeep the memory cell as part of TIO PRM in subsequent boots, or securelyclean the memory cell before allowing accesses from untrusted softwareentities/components. The platform firmware may store TIO PRM and memorycontroller settings in UEFI variables so that the platform firmware canidentify if any of those settings have changed between boots, and cleanmemory cells as needed. After configuring MC and TIO PRM, the platformfirmware may store the settings in UEFI variables and integrity-protectthe settings using a trusted platform module (TPM). Thus, the computingdevice 100 may detect if malicious software has tampered with the UEFIvariables (which may be stored on writable flash regions) to fool theplatform firmware into skipping cleaning. The computing device may useany integrity protection technique provided by the TPM, such as usingthe TPM nonvolatile (NV) store or using a sealed MAC key. For the NVstore, the settings or the hash of the settings may be stored in a TPMNV with a policy that allows write only at the firmware stage where MCand TIO PRM are configured. At boot, the platform firmware may check theMC routing and TIO PRM range settings against the stored copy and skipcleaning the TIO PRM range only if the settings match. An integrityfailure of the stored settings should be considered a setting mismatch.For the sealed MAC key, an HMAC key may be created in the TPM with thepolicy to allow access by the firmware stage in which the MC and TIO PRMsettings are configured. The MC and TIO PRM settings are stored in UEFIvariables, along with the MAC. At boot, the platform firmware verifiesthe stored copy before comparing it against the settings calculatedduring the current boot. MAC failure is also considered a mismatch, andwill cause memory to be securely cleaned. On a setting mismatch (i.e.,if the location of the TIO PRM has changed since the previous boot), theplatform firmware may scrub only those memory locations previousincluded in the TIO PRM, assuming that the stored settings have passedan integrity check. Of course, in practice the whole memory could besimply scrubbed to reduce the complexity in platform firmware code,given that memory geometry change is expected to be a rare event soshould not constitute a performance concern.

After locking down the TIO PRM range, in block 508 the computing device100 boots an operating system and one or more applications. After boot,the computing device 100 may load one or more operating system driversor other privileged software components, such as the CID filter devicedriver 306, the class driver 308, the filter driver 310, and the busdriver 312. Similarly, the computing device 100 may load one or moresecure enclaves or other unprivileged software components, such as theCEE 302 and the application enclave 304.

In block 510, the CEE 302 prepares channel programming information for atrusted I/O channel. The TIO channel corresponds to DMA communicationswith a peripheral device 140 via the associated I/O controller 138. Thechannel programming information may include: the channel identifier(CID) for the channel being programmed, a channel programming command(e.g., protect a channel, unprotect a channel, reprogram key), a messagedescriptor, including the message characteristics for data generatedfrom a channel (e.g., maximum message size, header description); one ormore channel key(s) associated with the channel to be used forprotecting the channel data, and a response key used for generatingcryptographic responses. In block 512, the CEE 302 prepares aBIND_STRUCT object that includes the programming information. TheBIND_STRUCT is a data structure that is partially populated by softwareand partially populated by hardware, as described further below. Onepotential embodiment of the BIND_STRUCT is described below in Table 1.In that embodiment, various items of the channel programming informationmay be included in the target specific encrypted data BTENCDATA and/orthe target specific data BTDATA. In particular, the channel key may beincluded in the BTENCDATA for protection from untrusted software (e.g.,the CID filter device driver 306, the operating system kernel, and/orother software outside of the CEE 302).

TABLE 1 BIND_STRUCT Name of Offset Size (bytes) Description Set By MAC16 MAC on encrypted data, target data, ID, Hardware SVN, Nonce, sequenceID, and size fields BSTRUCTSIZE 2 Size of BIND_STRUCT, e.g., 256Software BTENCSIZE 2 Size of encrypted target data, e.g., 48 SoftwareBTDATASIZE 2 Size of target data, e.g., 64 Software BTUPDATASIZE 2 Sizeof target specific data not encrypted Software or integrity processed,e.g., 16 BTID 4 Target device, e.g., CF Software BTSVN 4 Target Securityversion number Software NONCE 8 Nonce for Authenticated ResponsesSoftware SEQID 8 Seed for generating Initialization Vector Hardware (IV)VERSION 4 BIND_STRUCT version, e.g., must be 1 Software RSVD 12Reserved, must be zero Software BTENCDATA BTENCSIZE Target specificencrypted data Software BTDATA BTDATASIZE Target specific data Software/Hardware BTUPDATA BTUPDATASIZE Target specific data that is notencrypted Software or integrity protected RSVD BSTRUCTSIZE − Reserved,must be zero Software (52 + BTENCSIZE + BTDATASIZE + BTUPDATASIZE)

In some embodiments, the CEE 302 may generate a channel key that isbased on a recovery policy supplied when the channel is initiallyprogrammed. Later, the CEE 302 may recover the channel key if therecovery policy conditions are met. For example, after an applicationenclave crashes and leaves the channel encrypted and inaccessible(because no other entity has access to the channel key), the CEE 302 mayrecover the channel key to program the channel out of encryption if therecovery policy conditions are satisfied (for example, if a delegateprovides confirmation). In those embodiments, the CEE 302 may derive thechannel key from a random part and a policy part, using EGETKEY as thekey derivation function (KDF). The random part may be a random noncegenerated by the CEE 302, which may be stored by any software entity(trusted or untrusted) for later use. The policy part may be provided byan authorized entity that has attested to the policy as part of itsattestation to the whole TIO stack topology. The policy part may beillustratively embodied as a cryptographic hash of one or more policycomponents that should be enforced, such as one or more constants,protection states, enclave identifiers (e.g., MR_ENCLAVE or MR_SIGNER),or other policy conditions. To derive the channel key, the CEE 302passes the nonce and the policy part to EGETKEY, which returns thechannel key. To recover the channel key, the requesting untrusted codesupplies the CEE 302 with the policy components, and the CEE 302determines the policy part based on the policy components. The CEE 302passes the nonce and the derived policy part to EGETKEY, which willreturn the same channel key if the untrusted code is honest (i.e., ifthe policy components are correct).

In block 514, the CEE 302 invokes an unprivileged processor instructionto generate wrapped programming information based on the unwrappedchannel programming information. The wrapped programming information isbound to the CID filter 136. In particular, parts of the channelprogramming information may be encrypted and integrity-protected. Inblock 516, the CEE 302 invokes an EBIND instruction, with theBIND_STRUCT as a parameter. Illustratively, EBIND is a ring 3instruction, a leaf of ENCLU. In response to invocation of the EBINDinstruction, in block 518 the processor 120 encrypts and/orauthenticates various fields of the BIND_STRUCT data structure. Forexample, the as shown in Table 1, the processor 120 may encrypt theBTENCDATA field and generate a MAC over other fields, including theBTENCDATA, BTDATA, the target device ID, security version number, nonce,sequence ID, size fields, and/or other fields. EBIND uses an ephemeralkey-wrapping key (KWK) to perform its cryptographic operations. The KWKmay be sampled by a platform authenticated code module and provided tomicrocode and is cleared on reset. Consequently, wrapped blobs generatedby EBIND do not survive across reset. Thus, EBIND allows an enclave towrap a key, bind it to the specified target, and include othertarget-specific information such as CID, command, CID TIO PRM, etc.Output of the EBIND instruction is a wrapped blob that can be programmedinto the target (i.e., the CID filter 136) to establish a shared keybetween the enclave and the target.

In block 520, the CEE 302 provides the wrapped programming informationto the CID filter device driver 306. The CEE 302 may use any appropriatetechnique to pass the wrapped programming information, for exampleinvoking a system call, API, or other interface to the CID filter devicedriver 306. The wrapped programming information may be passed as abinary blob of data, as a BIND_STRUCT data structure including encrypteddata, or in any other appropriate format.

Referring now to FIG. 5B, in block 522, the CID filter device driver 306authorizes programming with the wrapped programming information. The CIDfilter device driver 306 may perform any supervisory or otherpolicy-based determination to determine whether to authorize the wrappedprogramming information. For example, the CID filter device driver 306may examine various unencrypted fields of the wrapped programminginformation such as the channel identifier or the channel programmingcommand to determine whether to allow the programming information. Thus,privileged software (i.e., the CID filter device driver 306) may controlallocation of TIO channels. Note that the CID filter device driver 306(and other privileged software) cannot decrypt encrypted fields of thewrapped programming information (such as the channel encryption keys)and thus cannot access encrypted I/O data for the TIO channel. If theCID filter device driver 306 determines that the wrapped programminginformation is not authorized, the CID filter device driver 306 mayreturn an error message or otherwise prevent programming the TIOchannel. If the CID filter device driver 306 authorizes the wrappedprogramming information, the method 500 advances to block 524.

In block 524, the CID filter device driver 306 adds the TIO PRM CIDrange to an unprotected field of the wrapped programming information.The TIO PRM CID range may be embodied as the base and top of the TIO PRMrange associated with the channel being programmed. The TIO PRM CIDrange may be added to a field of the BIND_STRUCT object that is notencrypted or integrity protected, such as the BTUPDATA field describedabove.

In block 526, the CID filter device driver 306 invokes a privilegedprocessor feature to program the cryptographic engine 124 and the CIDfilter 136. The wrapped programming information is decrypted, verified,and programmed to the cryptographic engine 124 and the CID filter 136.The privileged processor feature may be embodied as an instruction,model-specific register (MSR), or other feature of the processor 120. Inblock 528, the CID filter device driver 306 invokes a TIO_UNWRAPinstruction of the processor 120. The CID filter device driver 306 mayprovide the wrapped BIND_STRUCT to the processor as well as anUNWRAP_RESPONSE_STRUCT to store a cryptographic response. The TIO_UNWRAPinstruction may be restricted to ring-0 software or other privilegedsoftware such as the CID filter device driver 306. In response toinvocation of the TIO_UNWRAP instruction, in block 530 the processor 120unwraps the programming information. The processor 120 may decryptvarious fields of the BIND_STRUCT using the same ephemeral key-wrappingkey (KWK) used by the EBIND instruction. For example, the processor 120may decrypt one or more channel encryption keys included in theBIND_STRUCT. The processor 120 may also verify that the MAC included inthe BIND_STRUCT is valid, to prevent alterations to the programminginformation. In block 532, the processor 120 programs the CID filter 136with the channel identifier (CID) and the CID TIO PRM range for the TIOchannel. The CID TIO PRM range identifies a particular range (e.g., baseaddress and size) within the TIO PRM range of memory 130 that may beused for I/O data associated with the particular CID. The CID filter 136may include a content-addressable memory (CAM) table that includes theCDs and associated CID TIO PRM range. As described further below, in usethe CID filter 136 may verify that the CID included in an I/Otransaction has been programmed and that the memory address of the I/Otransaction is within the correct CID TIO PRM range. In block 534, theprocessor 120 programs the cryptographic engine 124 with the channelencryption key(s) associated with the CID. Similar to the CID filter136, the cryptographic engine 124 may access a CAM table or other datatable that relates the CID to the associated channel encryption key(s).

In block 536, after invoking the privileged processor feature to programthe cryptographic engine 124 and the CID filter 136, in block 536 theCID filter device driver 306 reads a cryptographic response from theprocessor 120. The cryptographic response indicates whether the TIOchannel was successfully programmed. As described above, the CID filterdevice driver 306 may provide an UNWRAP_RESPONSE_STRUCT to the processor120 to store the cryptographic response. One potential embodiment of anUNWRAP_RESPONSE_STRUCT is described below in Table 2. As shown, theresponse may indicate whether the programming information wassuccessfully unwrapped, whether the TIO channel was successfullyprogrammed, or other information. The cryptographic response may beauthenticated or otherwise generated using a key included in theBIND_STRUCT to allow trusted software (e.g., the crypto engine enclave302) to securely verify that the TIO channel was programmed.

TABLE 2 UNWRAP_RESPONSE_STRUCT Field Size Description RSP_STRUCT_SIZE 2B Size of the response structure. Must be 64 B aligned CRSP_SIZE 2 BAuthenticated response size VERSION 4 B Structure version, e.g., must be1 UNWRAP_STATUS 4 B Status of unwrap request (e.g., SUCCESSFUL_UNWRAP,INTEGRITY_FAILURE) Target-specific response CSRP_SIZE CryptographicResponse (e.g., CH_PROG_SUCCESS, CH_ALREADY_PROG) RSVD RSP_STRUCT_SIZE −Reserved for Future use (8 + CRSP_SIZE)

In block 538, after reading the cryptographic response, the CID filterdevice driver 306 invokes a privileged processor feature to securelyclear the CID TIO PRM range. Securely clearing the CID TIO PRM preventspotential leakage of sensitive information already stored in the CID TIOPRM range. Thus, the processor 120 may not allow data to leave the CIDTIO PRM range until it has been securely cleared. The privilegedprocessor feature may be embodied as an instruction, model-specificregister (MSR), or other feature of the processor 120. In block 540, theCID filter device driver 306 invokes a TIO_PRM _CLEANUP instruction foreach memory page in the CID TIO PRM range. TIO_PRM _CLEANUP providesring-0 software or other privileged software such as the CID filterdevice driver 306 the ability to carry out the cleanup of the CID TIOPRM assigned to a channel before the channel data can be consumed by anenclave. Thus, TIO_PRM _CLEANUP may ensure that untrusted softwarecannot cause data leaks due to the shared TIO PRM with plaintext data.To clean up memory pages associated with a CID, the CID filter devicedriver 306 may provide the processor 120 with a CLEANUP_PARAM _STRUCTUREdata structure as shown below in Table 3. In response to invocation ofthe TIO_PRM _CLEANUP instruction, in block 542, the processor 120 cleansone or more memory pages in the CID TIO PRM. The processor 120 may useany technique to clean the memory pages, such as zeroing the pages,securely overwriting the pages, or otherwise clearing the contents ofthe memory pages. The CID filter device driver 306 and/or the processor120 may continue to clean memory pages until the entire CID TIO PRM hasbeen cleaned, which may be indicated with the STATUS field of theCLEANUP_PARAM _STRUCT. In block 544, after the pages have been cleaned,the processor 120 allows a copy and encrypt operation for the CID TIOPRM memory pages. Attempts to copy and encrypt data from the CID TIO PRMbefore cleaning is complete may cause the processor 120 to generate anerror.

TABLE 3 CLEANUP_PARAM_STRUCT Field Size Description CID 2 Channel ID ofthe channel to be cleaned STATUS 2 Status of the cleanup (e.g.,CONTINUE_CLEANUP, CLEANUP_DONE) VERSION 4 Structure version, e.g., mustbe 1 RSVD 4 Reserved, must be zero

After cleaning the CID TIO PRM, in block 546, the CID filter devicedriver 306 returns the cryptographic response to the CEE 302. The CIDfilter device driver 306 may, for example, return the UNWRAP_RESPONSE_STRUCT to the CEE 302. In block 548, the CEE 302 verifies thecryptographic response. As described above, the cryptographic responsemay be authenticated or otherwise generated using a key included in theBIND_STRUCT. Thus, the CEE 302 may verify that the cryptographicresponse is authentic and was generated by the target of the BIND_STRUCT(e.g., the processor 120 and/or the CID filter 136). The CEE 302 mayallow communication over the TIO channel only if the cryptographicresponse indicates that programming was successful. After verifying thecryptographic response, the method 500 is completed. The computingdevice 100 may go on to protect I/O data transmitted over the TIOchannel as described further below in connection with FIGS. 6A and 6B.In some embodiments, the computing device 100 may restart the method 500to program or and/or re-program additional TIO channels.

Referring now to FIGS. 6A and 6B, in use, the computing device 100 mayexecute a method 600 for protected I/O data. It should be appreciatedthat, in some embodiments, the operations of the method 600 may beperformed by one or more components of the environment 200 of thecomputing device 100 as shown in FIG. 2. The method 600 begins in block602, in which the application enclave 304 of the computing device 100sends an I/O request to read data into a user buffer. The I/O requestmay identify a particular I/O device 140 that has previously beenprogrammed to use a TIO channel as described above in connection withFIGS. 5A and 5B. Thus, the I/O request is associated with a particularchannel identifier (CID) that identifies the particular I/O controller138 and I/O device 140. The user buffer may be embodied as any memorybuffer located in an unprivileged memory range (e.g., user memory). Theapplication enclave 304 may use any appropriate technique to send theI/O request, for example by invoking one or more system calls, APIs, orother interfaces to an operating system I/O stack.

The I/O request starts being processed through the operating system I/Ostack. In block 604, a class driver 308 allocates a kernel buffer forthe I/O request. The kernel buffer may be embodied as any memory bufferlocated in a privileged memory range (e.g., kernel memory). The classdriver 308 may be embodied as a driver appropriate for the I/O device140 of the I/O request, such as a keyboard, mouse, USB human interfacedevice (HID), webcam, or other device.

In block 606, the filter driver 310 intercepts the I/O request. Thefilter driver 310 may use any appropriate technique to intercept the I/Orequest. For example, certain operating systems such as Microsoft®Windows™ may maintain an I/O driver stack that allows a class driver 308to pass the I/O request down to the filter driver 310. In block 608, thefilter driver 310 allocates or otherwise identifies a shadow buffer inthe CID TIO PRM range for the I/O request. The shadow buffer may beembodied as any memory buffer included in the CID TIO PRM range. Asdescribed above, the CID TIO PRM range is a range of the TIO PRM thathas been associated with the CID for a particular TIO channel. Thus,privileged software (i.e., the filter driver 310) manages the allocationof buffers within the TIO PRM, even though the processor 120 may preventthe privileged software from accessing the data within the TIO PRM. Asdescribed above in connection with FIGS. 5A and 5B, the CID TIO PRMrange is programmed by the CID filter device driver 306 to the CIDfilter 136 during channel setup.

In block 610, the filter driver 310 sends an I/O request to read datainto the shadow buffer. The filter driver 310 may, for example, replacea kernel buffer memory address with the corresponding address of theshadow buffer. The filter driver 310 may send the I/O request, forexample, by sending the I/O request further down the system I/O stack.In block 612, the bus driver 312 submits the I/O request to read datainto the shadow buffer to the I/O controller 138. The bus driver 312 maybe embodied as a driver appropriate for the expansion bus and/orcontroller type of the I/O controller 138, such as a USB, PCI, or otherinterface.

In block 614, the I/O controller 138 generates an I/O transaction inresponse to the I/O request. The I/O transaction includes the CID of theTIO channel, for example included in a TLP prefix of a PCI transaction.The I/O transaction also includes or otherwise identifies the memoryaddress of the shadow buffer in the CID TIO PRM. Of course, the I/Otransaction also includes plaintext data received from the I/O device140.

In block 616, the CID filter (CF) 136 intercepts the I/O transaction andverifies the CID and the address of the I/O transaction. In particular,the CID filter 136 verifies that the CID has been programmed and thatthe address of the I/O transaction is within the CID TIO PRM range thatwas previously programmed. For example, the CID filter 136 may look upthe CID in a content-addressable memory (CAM) table and then verify theassociated address.

In block 618, the CID filter 136 determines whether the I/O transactionwas verified. If not, the method 600 advances to block 620, in which theI/O transaction is dropped. In some embodiments, the CID filter 136 mayalso generate an error signal or other indication that the I/Otransaction was dropped. After dropping the I/O transaction, the method600 loops back to block 602 to process additional I/O transactions.Referring back to block 618, if the I/O transaction was verified, themethod 600 branches to block 622, shown in FIG. 6B.

Referring now to FIG. 6B, in block 622 the filter driver 310 handles aDMA completion from the I/O controller 138. The DMA completion isgenerated when the I/O controller 138 performs a DMA operation to writeI/O data from the I/O device 140 into the shadow buffer. The filterdriver 310 may use any appropriate technique for handling the DMAcompletion, for example, handling an interrupt, responding to an event,or otherwise responding to the DMA completion.

In response to the DMA completion, in block 624 the filter driver 310invokes a privileged processor feature to encrypt and copy the I/O datafrom the shadow buffer to the kernel buffer. The kernel buffer may bethe kernel buffer allocated by the class driver 308 as described abovein connection with block 604. The processor 120 encrypts the data usingthe channel encryption key associated with the TIO channel. Theprivileged processor feature may be embodied as an instruction,model-specific register (MSR), or other feature of the processor 120. Inblock 626, the filter driver 310 invokes a TIO_COPY_ENCRYPT instructionof the processor 120. The TIO_COPY_ENCRYPT instruction takes a sourceaddress in the TIO PRM range and a destination address in the originalkernel memory and copies the DMA data from source to destination afterencryption. The filter driver 310 may provide the processor 120 with aCOPY_ENC _PARAM_STRUCT data structure that includes parameters for thecopy and encrypt operation. For example, the parameters may identify thesource address in the TIO PRM range, the size of the data to beencrypted, the CID, the destination address, and storage for integritydata (e.g., an authentication tag). One potential embodiment of theCOPY_ENC _PARAM_STRUCT is described below in Table 4. In block 628, inresponse to invocation of the TIO_COPY_ENCRYPT instruction, theprocessor 120 verifies that memory in the CID TIO PRM has been cleanedas described above in connection with block 538 of FIG. 5B. If not, theprocessor 120 may generate an error, for example by setting the RESULTfield of the COPY_ENC _PARAM_STRUCT to CENC_PENDING _CLEANUP. If the CIDTIO PRM range has been cleaned, in block 630 the processor 120 encryptsI/O data from the CID TIO PRM with the channel encryption key and storesthe encrypted data in the kernel buffer. The encryption may be performedby the cryptographic engine 124, for example by processor microcodeand/or by one or more cryptographic hardware accelerators.

TABLE 4 COPY_ENC_PARAM_STRUCT Field Size Description CID 2 Channel IDSIZE 2 Size of data to copy and encrypt VERSION 4 Structure version,e.g., must be 1 SOURCE_ADDR 8 Effective address in TIO PRM to copy andencrypt from DEST_ADDR 8 Effective address of destination buffer inkernel memory RSVD 8 Reserved, must be zero AT 16 Authentication TagRESULT 4 Result of copy and encrypt operation (e.g., CENC_SUCCESS,CENC_PENDING_CLEANUP) RSVD 12 Reserved, must be zero

In block 632, after copy and encryption has been completed successfully(e.g., if the RESULT field of the COPY_ENC _PARAM_STRUCT isCENC_SUCCESS), then the filter driver 310 provides the DMA completion tothe class driver 308. The filter driver 310 may, for example, pass theDMA completion up a system I/O driver stack. In block 634, the classdriver 308 copies the encrypted data from the kernel buffer to the userbuffer provided by the application enclave 304. In block 636, the classdriver 308 provides the DMA completion to the application enclave 304.For example, the class driver 308 may indicate that the I/O request hascompleted successfully using any appropriate technique.

In block 638, the application enclave 304 decrypts the encrypted datafrom the user buffer. Because the application enclave 304 is a trustedexecution environment, the decrypted, plaintext content of the I/O isnot accessible to untrusted software of the computing device such as theoperating system (including the class driver 308, the bus driver 312,and/or the filter driver 310). In some embodiments, in block 640 theapplication enclave 304 may verify the I/O data, for example byverifying an authentication tag associated with the encrypted I/O data.After decrypting the I/O data, the method 600 loops back to block 602,shown in FIG. 6A, to continue processing I/O requests.

Referring now to FIG. 7, diagram 700 illustrates a memory layout thatmay be established by the computing device 100. As shown, the memory 130may be divided into user memory 702, kernel memory 704, and a TIO PRMrange 706. The user memory is accessible to unprivileged software suchas user-mode or ring-3 software, and the kernel memory 704 is accessibleto privileged software such as kernel-mode or ring-0 software. The TIOPRM range 706 is not accessible to any software of the computing device100, and that restriction may be enforced by the processor 120.

In use, as described above in connection with FIGS. 6A and 6B,unprivileged software such as an application enclave 304 allocates auser buffer 708 in the user memory 702. Privileged software such as aclass driver 308 allocates a kernel buffer 710 in the kernel memory 704.Similarly, privileged software such as the filter driver 310 allocates ashadow buffer 712 in the TIO PRM 706. In particular, the shadow buffer712 is included in the CID TIO PRM range associated with a particularTIO channel (e.g., a particular I/O controller 138 and I/O device 140).

As shown, the I/O controller 138 may use a DMA operation to placeplaintext I/O data into the shadow buffer 712. As described above, theCID filter 136 may verify that the transaction asserts a valid CID andthat the shadow buffer 712 is within the correct CID TIO PRM 714. Afterthe DMA operation, the plain text I/O data in the shadow buffer 712 isnot accessible to any software on the system. The filter driver 310invokes the TIO_COPY_ENCRYPT instruction, and the processor 120 encryptsthe plaintext data and stores the encrypted data in the kernel buffer710. Because the I/O data was encrypted by the processor 120 and onlythe encrypted data reaches the kernel memory 704, the plaintext I/O dataremains inaccessible to any software of the system. Next, the classdriver 310 (or other privileged software) copies the encrypted data tothe user buffer 708. Once in the user buffer 708, the applicationenclave 304 may decrypt the encrypted data to recover the plaintext I/Odata. Thus, the computing device 100 securely transfers the encrypteddata through the untrusted system I/O stack before allowing trustedsoftware (e.g., the application enclave 304) to decrypt and access theplaintext I/O data.

It should be appreciated that, in some embodiments, the methods 500and/or 600 may be embodied as various instructions stored on acomputer-readable media, which may be executed by the processor 120, theI/O subsystem 128, and/or other components of the computing device 100to cause the computing device 100 to perform the respective method 500and/or 600 respectively. The computer-readable media may be embodied asany type of media capable of being read by the computing device 100including, but not limited to, the memory 130, the data storage device132, firmware devices, other memory or data storage devices of thecomputing device 100, portable media readable by a peripheral device 140of the computing device 100, and/or other media.

Examples

Illustrative examples of the technologies disclosed herein are providedbelow. An embodiment of the technologies may include any one or more,and any combination of, the examples described below.

Example 1 includes a computing device for trusted I/O channelprotection, the computing device comprising: an I/O controller togenerate an I/O transaction, wherein the I/O transaction comprisesplaintext I/O data, a channel identifier, and a memory address; achannel identifier filter to (i) intercept the I/O transaction; (ii)determine whether the memory address is included in a first range of aprocessor reserved memory region in response to interception of the I/Otransaction, wherein the first range is associated with the channelidentifier; and (iii) allow the I/O transaction to write the plaintextI/O data at the memory address in response to a determination that thememory address is included in the first range of the processor reservedmemory region; and a processor to (i) encrypt the plaintext I/O data atthe memory address with a channel key to generated encrypted data inresponse to allowance of the I/O transaction, and (ii) copy theencrypted data to a memory buffer, wherein the memory buffer is outsideof the processor reserved memory region.

Example 2 includes the subject matter of Example 1, and furthercomprising a trusted I/O manager to invoke a privileged processorfeature in response to the allowance of the I/O transaction, wherein toencrypt the I/O data comprises to encrypt the I/O data in response toinvocation of the privileged processor feature.

Example 3 includes the subject matter of any of Examples 1 and 2, andwherein the privileged processor feature comprises a TIO_COPY_ENCRYPTinstruction of the processor.

Example 4 includes the subject matter of any of Examples 1-3, andwherein the channel identifier filter is further to drop the I/Otransaction in response to a determination that the memory address isnot included in the first range of the processor reserved memory region.

Example 5 includes the subject matter of any of Examples 1-4, andwherein: the channel identifier filter is further to determine whetherthe I/O transaction includes a channel identifier that has beenprogrammed in response to the interception of the I/O transaction; toallow the I/O transaction to write the plaintext I/O data at the memoryaddress further comprises to allow the I/O transaction to write theplaintext I/O data at the memory address in response to a determinationthat the I/O transaction does not include a channel identifier; and todetermine whether the memory address is included in the first range ofthe processor reserved memory region further comprises to determinewhether the memory address is included in the first range of theprocessor reserved memory region in response to a determination that theI/O transaction includes a channel identifier.

Example 6 includes the subject matter of any of Examples 1-5, andwherein the processor is further to securely program the channelidentifier filter with the channel identifier and the first range of theprocessor reserved memory region, wherein to generate the I/Otransaction comprises to generate the I/O transaction in response tosecure programming of the channel identifier filter.

Example 7 includes the subject matter of any of Examples 1-6, andfurther comprising a firmware environment to configure the processor toreserve the processor reserved memory region, wherein to generate theI/O transaction comprises to generate the I/O transaction in response toconfiguration of the processor to reserve the processor reserved memoryregion.

Example 8 includes the subject matter of any of Examples 1-7, andwherein to configure the processor to reserve the processor reservedmemory region comprises to set one or more range registers of theprocessor to identify the processor reserved memory region.

Example 9 includes the subject matter of any of Examples 1-8, andwherein the processor is further to prevent a software component of thecomputing device from accessing the processor reserved memory region inresponse to configuration of the processor.

Example 10 includes the subject matter of any of Examples 1-9, andwherein: the processor is further to securely clear the first range ofthe processor reserved memory region; and to encrypt the I/O datafurther comprises to: (i) determine, by the processor, whether the firstrange of the processor reserved memory region has been securely cleared,and (ii) encrypt the I/O data in response to a determination that thefirst range of the processor reserved memory region has been securelycleared.

Example 11 includes the subject matter of any of Examples 1-10, andfurther comprising a processor reserved memory manager to invoke aprivileged processor feature to securely clear the first range of theprocessor reserved memory region, wherein to securely clear the firstrange comprises to securely clear the first range in response toinvocation of the privileged processor feature.

Example 12 includes the subject matter of any of Examples 1-11, andwherein the processor is further to indicate an error condition inresponse to a determination that the processor reserved memory regionhas not been securely cleared.

Example 13 includes a computing device for secure trusted I/O channelprogramming, the computing device comprising: a processor; a channelidentifier filter; a channel programmer to (i) generate, by anunprivileged software component of the computing device, programminginformation for the channel identifier filter, wherein the programminginformation is indicative of a channel identifier and a channel key, and(ii) invoke, by the unprivileged software component, an unprivilegedprocessor instruction with the programming information as a parameter;and a wrapping engine to generate, by the processor, wrapped programminginformation based on the programming information in response toinvocation of the unprivileged processor instruction, wherein thewrapped programming information includes an encrypted channel key and isindicative of a processor reserved memory region that is associated withthe channel identifier.

Example 14 includes the subject matter of Example 13, and wherein theunprivileged processor instruction comprises an EBIND instruction.

Example 15 includes the subject matter of any of Examples 13 and 14, andwherein to generate the wrapped programming information comprises toencrypt the channel key with a key-wrapping key to generate theencrypted channel key, wherein the key-wrapping key is private to theprocessor.

Example 16 includes the subject matter of any of Examples 13-15, andfurther comprising a firmware environment to assign a trusted I/Oprocessor reserved memory region, wherein the trusted I/O processorreserved memory region includes the processor reserved memory regionassociated with the channel identifier.

Example 17 includes the subject matter of any of Examples 13-16, andwherein the firmware environment is further to: store a trusted I/Oprocessor reserved memory region setting in a firmware variable inresponse to assignment of the trusted I/O processor reserved memoryregion; and integrity-protect the firmware variable with a trustedplatform module of the computing device.

Example 18 includes the subject matter of any of Examples 13-17, andwherein the processor is further to prevent the unprivileged softwarecomponent from accessing the processor reserved memory region associatedwith the channel identifier.

Example 19 includes the subject matter of any of Examples 13-18, andwherein the processor further comprises secure enclave support toestablish a secure enclave, and wherein the secure enclave includes theunprivileged software component.

Example 20 includes the subject matter of any of Examples 13-19, andwherein: the channel programmer is further to (i) provide, by theunprivileged software component, the wrapped programming information toa privileged software component of the computing device, and (ii)invoke, by the privileged software component, a first privilegedprocessor feature with the wrapped programming information as aparameter; and the computing device further comprises an unwrappingengine to program, by the processor, the channel identifier filter withthe channel identifier and a memory range of the processor reservedmemory region in response to invocation of the first privilegedprocessor feature.

Example 21 includes the subject matter of any of Examples 13-20, andwherein the first privileged processor feature comprises a TIO_UNWRAPinstruction of the processor.

Example 22 includes the subject matter of any of Examples 13-21, andfurther comprising: a processor reserved memory manager to invoke, bythe privileged software component, a second privileged processor featurewith the memory range of the processor reserved memory region as aparameter; and a cleaning engine to securely clear, by the processor,the memory range of the processor reserved memory region in response toinvocation of the second privileged processor feature.

Example 23 includes the subject matter of any of Examples 13-22, andwherein the second privileged processor feature comprises aTIO_PRM_CLEANUP instruction of the processor.

Example 24 includes the subject matter of any of Examples 13-23, andwherein: the channel programmer is further to verify, by the privilegedsoftware component, the wrapped programming information; and to invokethe first privileged processor feature comprises to invoke the firstprivileged processor feature in response to verification of the wrappedprogramming information.

Example 25 includes the subject matter of any of Examples 13-24, andwherein the channel programmer is further to read, by the privilegedsoftware component, a cryptographic response from the processor inresponse to invocation of the first privileged processor feature.

Example 26 includes the subject matter of any of Examples 13-25, andwherein the processor is further to prevent the privileged softwarecomponent from accessing the processor reserved memory region associatedwith the channel identifier.

Example 27 includes the subject matter of any of Examples 13-26, andwherein the privileged software component comprises a kernel mode driverof the computing device.

Example 28 includes the subject matter of any of Examples 13-27, andwherein: the channel identifier filter is to verify an I/O transactionin response to programming of the channel identifier filter, wherein theI/O transaction comprises the channel identifier and a memory address,and wherein to verify the I/O transaction comprises to verify that thememory address is included in the processor reserved memory region thatis associated with the channel identifier; the computing device furthercomprises a trusted I/O manager to invoke, by the privileged softwarecomponent, a third privileged processor feature in response toverification of the I/O transaction; and the computing device furthercomprises a copy/encrypt engine to (i) encrypt, by the processor, I/Odata at the memory address with the channel key to generated encrypteddata in response to invocation of the third privileged processorfeature, and (ii) copy, by the processor, the encrypted data to aprivileged memory buffer, wherein the privileged memory buffer isoutside of the processor reserved memory region.

Example 29 includes the subject matter of any of Examples 13-28, andwherein the third privileged processor feature comprises aTIO_COPY_ENCRYPT instruction of the processor.

Example 30 includes the subject matter of any of Examples 13-29, andwherein the privileged software component comprises a kernel mode filterdriver of the computing device.

Example 31 includes the subject matter of any of Examples 13-30, andwherein: the trusted I/O manager is further to: (i) intercept, by thefilter driver, an I/O request, wherein the I/O request is indicative ofthe privileged memory buffer; (ii) allocate, by the filter driver, ashadow memory buffer located at the memory address in the processorreserved memory region that is associated with the channel identifier;and (iii) generate, by the filter driver, a replacement I/O requestindicative of the memory address in response to allocating the shadowmemory buffer; the computing device further comprises an I/O controllerto generate the I/O transaction in response to generation of thereplacement I/O request; and to verify the I/O transaction comprises toverify the I/O transaction in response to generation of the I/Otransaction.

Example 32 includes the subject matter of any of Examples 13-31, andfurther comprising: a processor reserved memory manager to invoke, bythe privileged software component, a second privileged processor featureto securely clear the processor reserved memory region that isassociated with the channel identifier; wherein the copy/encrypt engineis further to determine, by the processor, whether the processorreserved memory region has been securely cleared in response toinvocation of the privileged processor feature; and wherein to encryptthe I/O data comprises to encrypt the I/O data in response to adetermination that the processor reserved memory region has beensecurely cleared.

Example 33 includes the subject matter of any of Examples 13-32, andwherein the copy/encrypt engine is further to indicate, by theprocessor, an error condition in response to a determination that theprocessor reserved memory region has not been securely cleared.

Example 34 includes the subject matter of any of Examples 13-33, andwherein the trusted I/O manager is further to copy, by the privilegedsoftware component, the encrypted data from the privileged memory bufferto an unprivileged memory buffer.

Example 35 includes the subject matter of any of Examples 13-34, andwherein the trusted I/O manager is further to decrypt, by theunprivileged software component of the computing device, the encrypteddata in the unprivileged memory buffer in response to copying of theencrypted data.

Example 36 includes a method for trusted I/O channel protection, themethod comprising: generating, by an I/O controller of a computingdevice, an I/O transaction, wherein the I/O transaction comprisesplaintext I/O data, a channel identifier, and a memory address;intercepting, by a channel identifier filter of the computing device,the I/O transaction; determining, by the channel identifier filter,whether the memory address is included in a first range of a processorreserved memory region in response to intercepting the I/O transaction,wherein the first range is associated with the channel identifier;allowing, by the channel identifier filter, the I/O transaction to writethe plaintext I/O data at the memory address in response to determiningthat the memory address is included in the first range of the processorreserved memory region; encrypting, by a processor of the computingdevice, the plaintext I/O data at the memory address with a channel keyto generated encrypted data in response to allowing the I/O transaction;and copying, by the processor, the encrypted data to a memory buffer,wherein the memory buffer is outside of the processor reserved memoryregion.

Example 37 includes the subject matter of Example 36, and furthercomprising invoking, by the computing device, a privileged processorfeature in response to allowing the I/O transaction, wherein encryptingthe I/O data comprises encrypting the I/O data in response to invokingthe privileged processor feature.

Example 38 includes the subject matter of any of Examples 36 and 37, andwherein invoking the privileged processor feature comprises invoking aTIO_COPY_ENCRYPT instruction of the processor.

Example 39 includes the subject matter of any of Examples 36-38, andfurther comprising dropping, by the channel identifier filter, the I/Otransaction in response to determining that the memory address is notincluded in the first range of the processor reserved memory region.

Example 40 includes the subject matter of any of Examples 36-39, andfurther comprising: determining, by the channel identifier filter,whether the I/O transaction includes a channel identifier that has beenprogrammed in response to intercepting the I/O transaction; whereinallowing the I/O transaction to write the plaintext I/O data at thememory address further comprises allowing the I/O transaction to writethe plaintext I/O data at the memory address in response to determiningthat the I/O transaction does not include a channel identifier; andwherein determining whether the memory address is included in the firstrange of the processor reserved memory region further comprisesdetermining whether the memory address is included in the first range ofthe processor reserved memory region in response to determining that theI/O transaction includes a channel identifier.

Example 41 includes the subject matter of any of Examples 36-40, andfurther comprising securely programming, by the computing device, thechannel identifier filter with the channel identifier and the firstrange of the processor reserved memory region, wherein generating theI/O transaction comprises generating the I/O transaction in response tosecurely programming the channel identifier filter.

Example 42 includes the subject matter of any of Examples 36-41, andfurther comprising: configuring, by the computing device, the processorto reserve the processor reserved memory region, wherein generating theI/O transaction comprises generating the I/O transaction in response toconfiguring the processor to reserve the processor reserved memoryregion.

Example 43 includes the subject matter of any of Examples 36-42, andwherein configuring the processor to reserve the processor reservedmemory region comprises setting one or more range registers of theprocessor to identify the processor reserved memory region.

Example 44 includes the subject matter of any of Examples 36-43, andfurther comprising preventing, by the processor of the computing device,a software component of the computing device from accessing theprocessor reserved memory region in response to configuring theprocessor.

Example 45 includes the subject matter of any of Examples 36-44, andfurther comprising: securely clearing, by the processor of the computingdevice, the first range of the processor reserved memory region; whereinencrypting the I/O data further comprises: (i) determining, by theprocessor, whether the first range of the processor reserved memoryregion has been securely cleared, and (ii) encrypting the I/O data inresponse to determining that the first range of the processor reservedmemory region has been securely cleared.

Example 46 includes the subject matter of any of Examples 36-45, andfurther comprising invoking, by the computing device, a privilegedprocessor feature to securely clear the first range of the processorreserved memory region, wherein securely clearing the first rangecomprises securely clearing the first range in response to invoking theprivileged processor feature.

Example 47 includes the subject matter of any of Examples 36-46, andfurther comprising indicating, by the processor, an error condition inresponse to determining that the first range of the processor reservedmemory region has not been securely cleared.

Example 48 includes a method for secure trusted I/O channel programming,the method comprising: generating, by an unprivileged software componentof a computing device, programming information for a channel identifierfilter of the computing device, wherein the programming information isindicative of a channel identifier and a channel key; invoking, by theunprivileged software component, an unprivileged processor instructionwith the programming information as a parameter; and generating, by aprocessor of the computing device, wrapped programming information basedon the programming information in response to invoking the unprivilegedprocessor instruction, wherein the wrapped programming informationincludes an encrypted channel key and is indicative of a processorreserved memory region that is associated with the channel identifier.

Example 49 includes the subject matter of Example 48, and whereininvoking the unprivileged processor instruction comprises invoking anEBIND instruction.

Example 50 includes the subject matter of any of Examples 48 and 49, andwherein generating the wrapped programming information comprisesencrypting the channel key with a key-wrapping key to generate theencrypted channel key, wherein the key-wrapping key is private to theprocessor.

Example 51 includes the subject matter of any of Examples 48-50, andfurther comprising assigning, by a firmware environment of the computingdevice, a trusted I/O processor reserved memory region, wherein thetrusted I/O processor reserved memory region includes the processorreserved memory region associated with the channel identifier.

Example 52 includes the subject matter of any of Examples 48-51, andfurther comprising: storing, by the firmware environment, a trusted I/Oprocessor reserved memory region setting in a firmware variable inresponse to assigning the trusted I/O processor reserved memory region;and integrity-protecting, by the firmware environment, the firmwarevariable using a trusted platform module of the computing device.

Example 53 includes the subject matter of any of Examples 48-52, andfurther comprising preventing, by the computing device, the unprivilegedsoftware component from accessing the processor reserved memory regionassociated with the channel identifier.

Example 54 includes the subject matter of any of Examples 48-53, andfurther comprising establishing, by the processor, a secure enclave withsecure enclave support of the processor, wherein the secure enclaveincludes the unprivileged software component.

Example 55 includes the subject matter of any of Examples 48-54, andfurther comprising: providing, by the unprivileged software component,the wrapped programming information to a privileged software componentof the computing device; invoking, by the privileged software component,a first privileged processor feature with the wrapped programminginformation as a parameter; and programming, by the processor, thechannel identifier filter with the channel identifier and a memory rangeof the processor reserved memory region in response to invoking thefirst privileged processor feature.

Example 56 includes the subject matter of any of Examples 48-55, andwherein invoking the first privileged processor feature comprisesinvoking a TIO_UNWRAP instruction of the processor.

Example 57 includes the subject matter of any of Examples 48-56, andfurther comprising: invoking, by the privileged software component, asecond privileged processor feature with the memory range of theprocessor reserved memory region as a parameter; and securely clearing,by the processor, the memory range of the processor reserved memoryregion in response to invoking the second privileged processor feature.

Example 58 includes the subject matter of any of Examples 48-57, andwherein invoking the second privileged processor feature comprisesinvoking a TIO_PRM_CLEANUP instruction of the processor.

Example 59 includes the subject matter of any of Examples 48-58, andfurther comprising: verifying, by the privileged software component, thewrapped programming information; wherein invoking the first privilegedprocessor feature comprises invoking the first privileged processorfeature in response to verifying the wrapped programming information.

Example 60 includes the subject matter of any of Examples 48-59, andfurther comprising reading, by the privileged software component, acryptographic response from the processor in response to invoking thefirst privileged processor feature.

Example 61 includes the subject matter of any of Examples 48-60, andfurther comprising preventing, by the computing device, the privilegedsoftware component from accessing the processor reserved memory regionassociated with the channel identifier.

Example 62 includes the subject matter of any of Examples 48-61, andwherein the privileged software component comprises a kernel mode driverof the computing device.

Example 63 includes the subject matter of any of Examples 48-62, andfurther comprising: verifying, by the channel identifier filter, an I/Otransaction in response to programming the channel identifier filter,wherein the I/O transaction comprises the channel identifier and amemory address, and wherein verifying the I/O transaction comprisesverifying that the memory address is included in the processor reservedmemory region that is associated with the channel identifier; invoking,by the privileged software component, a third privileged processorfeature in response to verifying the I/O transaction; encrypting, by theprocessor, I/O data at the memory address with the channel key togenerated encrypted data in response to invoking the third privilegedprocessor feature; and copying, by the processor, the encrypted data toa privileged memory buffer, wherein the privileged memory buffer isoutside of the processor reserved memory region.

Example 64 includes the subject matter of any of Examples 48-63, andwherein invoking the third privileged processor feature comprisesinvoking a TIO_COPY_ENCRYPT instruction of the processor.

Example 65 includes the subject matter of any of Examples 48-64, andwherein the privileged software component comprises a kernel mode filterdriver of the computing device.

Example 66 includes the subject matter of any of Examples 48-65, andfurther comprising: intercepting, by the filter driver, an I/O request,wherein the I/O request is indicative of the privileged memory buffer;allocating, by the filter driver, a shadow memory buffer located at thememory address in the processor reserved memory region that isassociated with the channel identifier; generating, by the filterdriver, a replacement I/O request indicative of the memory address inresponse to allocating the shadow memory buffer; and generating, by anI/O controller of the computing device, the I/O transaction in responseto generating the replacement I/O request; wherein verifying the I/Otransaction comprises verifying the I/O transaction in response togenerating the I/O transaction.

Example 67 includes the subject matter of any of Examples 48-66, andfurther comprising: invoking, by the privileged software component, asecond privileged processor feature to securely clear the processorreserved memory region that is associated with the channel identifier;and determining, by the processor, whether the processor reserved memoryregion has been securely cleared in response to invoking the thirdprivileged processor feature; wherein encrypting the I/O data comprisesencrypting the I/O data in response to determining that the processorreserved memory region has been securely cleared.

Example 68 includes the subject matter of any of Examples 48-67, andfurther comprising indicating, by the processor, an error condition inresponse to determining that the processor reserved memory region hasnot been securely cleared.

Example 69 includes the subject matter of any of Examples 48-68, andfurther comprising copying, by the privileged software component, theencrypted data from the privileged memory buffer to an unprivilegedmemory buffer.

Example 70 includes the subject matter of any of Examples 48-69, andfurther comprising decrypting, by the unprivileged software component ofthe computing device, the encrypted data in the unprivileged memorybuffer in response to copying the encrypted data.

Example 71 includes a computing device comprising: a processor; and amemory having stored therein a plurality of instructions that whenexecuted by the processor cause the computing device to perform themethod of any of Examples 36-70.

Example 72 includes one or more machine readable storage mediacomprising a plurality of instructions stored thereon that in responseto being executed result in a computing device performing the method ofany of Examples 36-70.

Example 73 includes a computing device comprising means for performingthe method of any of Examples 36-70.

Example 74 includes a computing device for trusted I/O channelprotection, the computing device comprising: means for generating, by anI/O controller of the computing device, an I/O transaction, wherein theI/O transaction comprises plaintext I/O data, a channel identifier, anda memory address; means for intercepting, by a channel identifier filterof the computing device, the I/O transaction; means for determining, bythe channel identifier filter, whether the memory address is included ina first range of a processor reserved memory region in response tointercepting the I/O transaction, wherein the first range is associatedwith the channel identifier; means for allowing, by the channelidentifier filter, the I/O transaction to write the plaintext I/O dataat the memory address in response to determining that the memory addressis included in the first range of the processor reserved memory region;means for encrypting, by a processor of the computing device, theplaintext I/O data at the memory address with a channel key to generatedencrypted data in response to allowing the I/O transaction; and meansfor copying, by the processor, the encrypted data to a memory buffer,wherein the memory buffer is outside of the processor reserved memoryregion.

Example 75 includes the subject matter of Example 74, and furthercomprising means for invoking a privileged processor feature in responseto allowing the I/O transaction, wherein encrypting the I/O datacomprises encrypting the I/O data in response to invoking the privilegedprocessor feature.

Example 76 includes the subject matter of any of Examples 74 and 75, andwherein the means for invoking the privileged processor featurecomprises means for invoking a TIO_COPY_ENCRYPT instruction of theprocessor.

Example 77 includes the subject matter of any of Examples 74-76, andfurther comprising means for dropping, by the channel identifier filter,the I/O transaction in response to determining that the memory addressis not included in the first range of the processor reserved memoryregion.

Example 78 includes the subject matter of any of Examples 74-77, andfurther comprising: means for determining, by the channel identifierfilter, whether the I/O transaction includes a channel identifier thathas been programmed in response to intercepting the I/O transaction;wherein the means for allowing the I/O transaction to write theplaintext I/O data at the memory address further comprises means forallowing the I/O transaction to write the plaintext I/O data at thememory address in response to determining that the I/O transaction doesnot include a channel identifier; and wherein the means for determiningwhether the memory address is included in the first range of theprocessor reserved memory region further comprises means for determiningwhether the memory address is included in the first range of theprocessor reserved memory region in response to determining that the I/Otransaction includes a channel identifier.

Example 79 includes the subject matter of any of Examples 74-78, andfurther comprising means for securely programming the channel identifierfilter with the channel identifier and the first range of the processorreserved memory region, wherein generating the I/O transaction comprisesgenerating the I/O transaction in response to securely programming thechannel identifier filter.

Example 80 includes the subject matter of any of Examples 74-79, andfurther comprising means for configuring the processor to reserve theprocessor reserved memory region, wherein the means for generating theI/O transaction comprises means for generating the I/O transaction inresponse to configuring the processor to reserve the processor reservedmemory region.

Example 81 includes the subject matter of any of Examples 74-80, andwherein the means for configuring the processor to reserve the processorreserved memory region comprises means for setting one or more rangeregisters of the processor to identify the processor reserved memoryregion.

Example 82 includes the subject matter of any of Examples 74-81 andfurther comprising means for preventing, by the processor of thecomputing device, a software component of the computing device fromaccessing the processor reserved memory region in response toconfiguring the processor.

Example 83 includes the subject matter of any of Examples 74-82, andfurther comprising: means for securely clearing, by the processor of thecomputing device, the first range of the processor reserved memoryregion; wherein the means for encrypting the I/O data further comprises:(i) means for determining, by the processor, whether the first range ofthe processor reserved memory region has been securely cleared, and (ii)means for encrypting the I/O data in response to determining that thefirst range of the processor reserved memory region has been securelycleared.

Example 84 includes the subject matter of any of Examples 74-83, andfurther comprising means for invoking a privileged processor feature tosecurely clear the first range of the processor reserved memory region,wherein the means for securely clearing the first range comprises meansfor securely clearing the first range in response to invoking theprivileged processor feature.

Example 85 includes the subject matter of any of Examples 74-84, andfurther comprising means for indicating, by the processor, an errorcondition in response to determining that the first range of theprocessor reserved memory region has not been securely cleared.

Example 86 includes a computing device for secure trusted I/O channelprogramming, the computing device comprising: means for generating, byan unprivileged software component of the computing device, programminginformation for a channel identifier filter of the computing device,wherein the programming information is indicative of a channelidentifier and a channel key; means for invoking, by the unprivilegedsoftware component, an unprivileged processor instruction with theprogramming information as a parameter; and means for generating, by aprocessor of the computing device, wrapped programming information basedon the programming information in response to invoking the unprivilegedprocessor instruction, wherein the wrapped programming informationincludes an encrypted channel key and is indicative of a processorreserved memory region that is associated with the channel identifier.

Example 87 includes the subject matter of Example 86, and wherein themeans for invoking the unprivileged processor instruction comprisesmeans for invoking an EBIND instruction.

Example 88 includes the subject matter of any of Examples 86 and 87, andwherein the means for generating the wrapped programming informationcomprises means for encrypting the channel key with a key-wrapping keyto generate the encrypted channel key, wherein the key-wrapping key isprivate to the processor.

Example 89 includes the subject matter of any of Examples 86-88, andfurther comprising means for assigning, by a firmware environment of thecomputing device, a trusted I/O processor reserved memory region,wherein the trusted I/O processor reserved memory region includes theprocessor reserved memory region associated with the channel identifier.

Example 90 includes the subject matter of any of Examples 86-89, andfurther comprising: means for storing, by the firmware environment, atrusted I/O processor reserved memory region setting in a firmwarevariable in response to assigning the trusted I/O processor reservedmemory region; and means for integrity-protecting, by the firmwareenvironment, the firmware variable using a trusted platform module ofthe computing device.

Example 91 includes the subject matter of any of Examples 86-90, andfurther comprising means for preventing the unprivileged softwarecomponent from accessing the processor reserved memory region associatedwith the channel identifier.

Example 92 includes the subject matter of any of Examples 86-91, andfurther comprising means for establishing, by the processor, a secureenclave with secure enclave support of the processor, wherein the secureenclave includes the unprivileged software component.

Example 93 includes the subject matter of any of Examples 86-92, andfurther comprising: means for providing, by the unprivileged softwarecomponent, the wrapped programming information to a privileged softwarecomponent of the computing device; means for invoking, by the privilegedsoftware component, a first privileged processor feature with thewrapped programming information as a parameter; and means forprogramming, by the processor, the channel identifier filter with thechannel identifier and a memory range of the processor reserved memoryregion in response to invoking the first privileged processor feature.

Example 94 includes the subject matter of any of Examples 86-93, andwherein the means for invoking the first privileged processor featurecomprises means for invoking a TIO_UNWRAP instruction of the processor.

Example 95 includes the subject matter of any of Examples 86-94, andfurther comprising: means for invoking, by the privileged softwarecomponent, a second privileged processor feature with the memory rangeof the processor reserved memory region as a parameter; and means forsecurely clearing, by the processor, the memory range of the processorreserved memory region in response to invoking the second privilegedprocessor feature.

Example 96 includes the subject matter of any of Examples 86-95, andwherein the means for invoking the second privileged processor featurecomprises means for invoking a TIO_PRM_CLEANUP instruction of theprocessor.

Example 97 includes the subject matter of any of Examples 86-96, andfurther comprising: means for verifying, by the privileged softwarecomponent, the wrapped programming information; wherein the means forinvoking the first privileged processor feature comprises means forinvoking the first privileged processor feature in response to verifyingthe wrapped programming information.

Example 98 includes the subject matter of any of Examples 86-97, andfurther comprising means for reading, by the privileged softwarecomponent, a cryptographic response from the processor in response toinvoking the first privileged processor feature.

Example 99 includes the subject matter of any of Examples 86-98, andfurther comprising means for preventing the privileged softwarecomponent from accessing the processor reserved memory region associatedwith the channel identifier.

Example 100 includes the subject matter of any of Examples 86-99, andwherein the privileged software component comprises a kernel mode driverof the computing device.

Example 101 includes the subject matter of any of Examples 86-100, andfurther comprising: means for verifying, by the channel identifierfilter, an I/O transaction in response to programming the channelidentifier filter, wherein the I/O transaction comprises the channelidentifier and a memory address, and wherein verifying the I/Otransaction comprises verifying that the memory address is included inthe processor reserved memory region that is associated with the channelidentifier; means for invoking, by the privileged software component, athird privileged processor feature in response to verifying the I/Otransaction; means for encrypting, by the processor, I/O data at thememory address with the channel key to generated encrypted data inresponse to invoking the third privileged processor feature; and meansfor copying, by the processor, the encrypted data to a privileged memorybuffer, wherein the privileged memory buffer is outside of the processorreserved memory region.

Example 102 includes the subject matter of any of Examples 86-101, andwherein the means for invoking the third privileged processor featurecomprises means for invoking a TIO_COPY_ENCRYPT instruction of theprocessor.

Example 103 includes the subject matter of any of Examples 86-102, andwherein the privileged software component comprises a kernel mode filterdriver of the computing device.

Example 104 includes the subject matter of any of Examples 86-103, andfurther comprising: means for intercepting, by the filter driver, an I/Orequest, wherein the I/O request is indicative of the privileged memorybuffer; means for allocating, by the filter driver, a shadow memorybuffer located at the memory address in the processor reserved memoryregion that is associated with the channel identifier; means forgenerating, by the filter driver, a replacement I/O request indicativeof the memory address in response to allocating the shadow memorybuffer; and means for generating, by an I/O controller of the computingdevice, the I/O transaction in response to generating the replacementI/O request; wherein the means for verifying the I/O transactioncomprises means for verifying the I/O transaction in response togenerating the I/O transaction.

Example 105 includes the subject matter of any of Examples 86-104, andfurther comprising: means for invoking, by the privileged softwarecomponent, a second privileged processor feature to securely clear theprocessor reserved memory region that is associated with the channelidentifier; and means for determining, by the processor, whether theprocessor reserved memory region has been securely cleared in responseto invoking the third privileged processor feature; wherein the meansfor encrypting the I/O data comprises means for encrypting the I/O datain response to determining that the processor reserved memory region hasbeen securely cleared.

Example 106 includes the subject matter of any of Examples 86-105, andfurther comprising means for indicating, by the processor, an errorcondition in response to determining that the processor reserved memoryregion has not been securely cleared.

Example 107 includes the subject matter of any of Examples 86-106, andfurther comprising means for copying, by the privileged softwarecomponent, the encrypted data from the privileged memory buffer to anunprivileged memory buffer.

Example 108 includes the subject matter of any of Examples 86-107, andfurther comprising means for decrypting, by the unprivileged softwarecomponent of the computing device, the encrypted data in theunprivileged memory buffer in response to copying the encrypted data.

1. A computing device for secure trusted I/O channel programming, thecomputing device comprising: a processor; a channel identifier filter; achannel programmer to (i) generate, by an unprivileged softwarecomponent of the computing device, programming information for thechannel identifier filter, wherein the programming information isindicative of a channel identifier and a channel key, and (ii) invoke,by the unprivileged software component, an unprivileged processorinstruction with the programming information as a parameter; and awrapping engine to generate, by the processor, wrapped programminginformation based on the programming information in response toinvocation of the unprivileged processor instruction, wherein thewrapped programming information includes an encrypted channel key and isindicative of a processor reserved memory region that is associated withthe channel identifier.
 2. The computing device of claim 1, wherein theunprivileged processor instruction comprises an EBIND instruction. 3.The computing device of claim 1, wherein to generate the wrappedprogramming information comprises to encrypt the channel key with akey-wrapping key to generate the encrypted channel key, wherein thekey-wrapping key is private to the processor.
 4. The computing device ofclaim 1, further comprising a firmware environment to assign a trustedI/O processor reserved memory region, wherein the trusted I/O processorreserved memory region includes the processor reserved memory regionassociated with the channel identifier.
 5. The computing device of claim4, wherein the firmware environment is further to: store a trusted I/Oprocessor reserved memory region setting in a firmware variable inresponse to assignment of the trusted I/O processor reserved memoryregion; and integrity-protect the firmware variable with a trustedplatform module of the computing device.
 6. The computing device ofclaim 1, wherein the processor is further to prevent the unprivilegedsoftware component from accessing the processor reserved memory regionassociated with the channel identifier.
 7. The computing device of claim1, wherein the processor further comprises secure enclave support toestablish a secure enclave, and wherein the secure enclave includes theunprivileged software component.
 8. The computing device of claim 1,wherein: the channel programmer is further to (i) provide, by theunprivileged software component, the wrapped programming information toa privileged software component of the computing device, and (ii)invoke, by the privileged software component, a first privilegedprocessor feature with the wrapped programming information as aparameter; and the computing device further comprises an unwrappingengine to program, by the processor, the channel identifier filter withthe channel identifier and a memory range of the processor reservedmemory region in response to invocation of the first privilegedprocessor feature.
 9. The computing device of claim 8, wherein the firstprivileged processor feature comprises a TIO_UNWRAP instruction of theprocessor.
 10. The computing device of claim 8, further comprising: aprocessor reserved memory manager to invoke, by the privileged softwarecomponent, a second privileged processor feature with the memory rangeof the processor reserved memory region as a parameter; and a cleaningengine to securely clear, by the processor, the memory range of theprocessor reserved memory region in response to invocation of the secondprivileged processor feature.
 11. The computing device of claim 10,wherein the second privileged processor feature comprises aTIO_PRM_CLEANUP instruction of the processor.
 12. The computing deviceof claim 8, wherein: the channel programmer is further to verify, by theprivileged software component, the wrapped programming information; andto invoke the first privileged processor feature comprises to invoke thefirst privileged processor feature in response to verification of thewrapped programming information.
 13. The computing device of claim 8,wherein the channel programmer is further to read, by the privilegedsoftware component, a cryptographic response from the processor inresponse to invocation of the first privileged processor feature. 14.The computing device of claim 8, wherein the processor is further toprevent the privileged software component from accessing the processorreserved memory region associated with the channel identifier.
 15. Thecomputing device of claim 8, wherein the privileged software componentcomprises a kernel mode driver of the computing device.
 16. A method forsecure trusted I/O channel programming, the method comprising:generating, by an unprivileged software component of a computing device,programming information for a channel identifier filter of the computingdevice, wherein the programming information is indicative of a channelidentifier and a channel key; invoking, by the unprivileged softwarecomponent, an unprivileged processor instruction with the programminginformation as a parameter; and generating, by a processor of thecomputing device, wrapped programming information based on theprogramming information in response to invoking the unprivilegedprocessor instruction, wherein the wrapped programming informationincludes an encrypted channel key and is indicative of a processorreserved memory region that is associated with the channel identifier.17. The method of claim 16, further comprising preventing, by thecomputing device, the unprivileged software component from accessing theprocessor reserved memory region associated with the channel identifier.18. The method of claim 16, further comprising: providing, by theunprivileged software component, the wrapped programming information toa privileged software component of the computing device; invoking, bythe privileged software component, a first privileged processor featurewith the wrapped programming information as a parameter; andprogramming, by the processor, the channel identifier filter with thechannel identifier and a memory range of the processor reserved memoryregion in response to invoking the first privileged processor feature.19. The method of claim 18, further comprising: invoking, by theprivileged software component, a second privileged processor featurewith the memory range of the processor reserved memory region as aparameter; and securely clearing, by the processor, the memory range ofthe processor reserved memory region in response to invoking the secondprivileged processor feature.
 20. The method of claim 18, furthercomprising preventing, by the computing device, the privileged softwarecomponent from accessing the processor reserved memory region associatedwith the channel identifier.
 21. One or more computer-readable storagemedia comprising a plurality of instructions that in response to beingexecuted cause a computing device to: generate, by an unprivilegedsoftware component of the computing device, programming information fora channel identifier filter of the computing device, wherein theprogramming information is indicative of a channel identifier and achannel key; invoke, by the unprivileged software component, anunprivileged processor instruction with the programming information as aparameter; and generate, by a processor of the computing device, wrappedprogramming information based on the programming information in responseto invoking the unprivileged processor instruction, wherein the wrappedprogramming information includes an encrypted channel key and isindicative of a processor reserved memory region that is associated withthe channel identifier.
 22. The one or more computer-readable storagemedia of claim 21, further comprising a plurality of instructions thatin response to being executed cause the computing device to prevent theunprivileged software component from accessing the processor reservedmemory region associated with the channel identifier.
 23. The one ormore computer-readable storage media of claim 21, further comprising aplurality of instructions that in response to being executed cause thecomputing device to: provide, by the unprivileged software component,the wrapped programming information to a privileged software componentof the computing device; invoke, by the privileged software component, afirst privileged processor feature with the wrapped programminginformation as a parameter; and program, by the processor, the channelidentifier filter with the channel identifier and a memory range of theprocessor reserved memory region in response to invoking the firstprivileged processor feature.
 24. The one or more computer-readablestorage media of claim 23, further comprising a plurality ofinstructions that in response to being executed cause the computingdevice to: invoke, by the privileged software component, a secondprivileged processor feature with the memory range of the processorreserved memory region as a parameter; and securely clear, by theprocessor, the memory range of the processor reserved memory region inresponse to invoking the second privileged processor feature.
 25. Theone or more computer-readable storage media of claim 23, furthercomprising a plurality of instructions that in response to beingexecuted cause the computing device to prevent the privileged softwarecomponent from accessing the processor reserved memory region associatedwith the channel identifier.